Article ID: 2535227 - View products that this article applies to.
When a federated user signs in to access a Microsoft cloud service such as Office 365, Microsoft Azure, or Windows Intune, the user is prompted unexpectedly to enter his or her organizational account credentials. After the user enters his or her credentials, the user is granted access to the cloud service.
Note Not all federated user authentication experiences are without a credential prompt. In certain scenarios, it's by design and expected that federated users are prompted to enter their credentials. Make sure that the credential prompt is unexpected before you continue.
This issue may occur for internal domain clients if one or more of the following conditions are true:
To resolve this issue, use one or more of the following methods, as appropriate for your situation.
Method 1: Make sure that the DNS server has a host record for the AD FS endpointMake sure that the DNS server has a host record for the AD FS endpoint that is appropriate to the client computer that is experiencing this issue. For internal clients, this means that the internal DNS server should resolve the AD FS endpoint name to an internal IP address. For Internet clients, this means that the endpoint name should resolve to a public IP address. To test this on the client, follow these steps:
Method 2: Check the local intranet zone and proxy server settings in Internet ExplorerUse one of the following procedures, as appropriate for your situation.
Procedure ACheck the local intranet zone and proxy server settings in Internet Explorer. To do this, follow these steps:
Procedure BManually configure the security settings for the security zone in Internet Explorer. The default security setting that causes the local intranet zone not to prompt for Windows authentication can be configured manually for any security zone in Internet Explorer. To customize the security zone of which the AD FS service name is already a part, follow these steps:
Warning We highly discourage this configuration because it could result in the unintended submission of Integrated Windows Authentication traffic to websites.
Method 3: Check the IIS authentication settings for the AD FS federation service and proxy serviceVerify that the IIS authentication settings for the AD FS federation and proxy services are configured correctly. For more information, see the following article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/2461628/ )A federated user is repeatedly prompted for credentials during sign-in to Office 365, Azure, or Windows Intune
Method 4: Use Internet Explorer or a third-party web browserUse Internet Explorer or a third-party web browser that supports integrated Windows authentication.
Method 5: Verify connectivity to Active DirectoryLog off from the client computer and then log on as an Active Directory user. If logon is successful, verify the connectivity to Active Directory by using the Nltest command-line tool. To use the Nltest tool, you must have Windows Server 2003 Support Tools installed on the computer.
Accessing Office 365 resources by using a non-federated account or a federated account from a public Internet connection may not result in a single sign-on experience.
The experience for logging on to Microsoft Outlook connections is also not expected to be a single sign-on experience.
Still need help? Go to the Office 365 Community
(http://community.office365.com/)website or the Azure Active Directory Forums
Article ID: 2535227 - Last Review: July 9, 2014 - Revision: 35.0